Personal data from more than a million customers of licensed NSW clubs have apparently been exposed as part of a massive data leak by disgruntled workers at a third-party IT provider.

Cybercrime detectives are investigating the reported breach, which appears to include drivers’ licences and signatures captured during sign-in at venues across New South Wales.

The leak purportedly includes 500 gigabytes of user data uploaded to a website, amid allegations that contracted software developers in the Philippines have not been paid.

“We’re really concerned about the potential impact on individuals and we will encourage clubs and hospitality venues to notify patrons whose information might be affected,” NSW Gaming and Racing Minister David Harris said.

The website was apparently established days ago, but became widely known only in the past 48 hours.

It claims to have records and personal information of senior government figures, including NSW Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley.

NSW Police have urged people to protect their personal information and be vigilant of suspicious links or messages.

“Our message is to always be vigilant when it comes to security,” Detective Acting Superintendent Gillian Lister said on Thursday.

“Never click on suspicious links via email or text. Ensure that you have a strong password for special characters and always use two-factor authentication.

“Ensure that if you suspect that your security has been compromised, change your password immediately and contact police.”

Australian cyber security expert Troy Hunt said it was not clear if photos and signatures used at sign-in were exposed in every case.

“Drivers licences, however, is Optus redux: They all need replacing now,” he posted on X, formerly known as Twitter.

“Signatures and photos are obviously immutable [by any practical measure] and combined with the other personal identities [name, phone, address], are *very* useful for criminals.”

However, police have urged club members and patrons not to rush to get new licences.

“At this stage, our advice would be not to change your licence details and await further advice,” Detective Chief Superintendent Grant Taylor said.

The leak is believed to be a “breach of a third-party provider” – an unlawful release of information – rather than a hack or cyber attack.

“We have been working with our state and federal partners and also international partners in order to take down that website,” Taylor said.

“At the very least, to disrupt that website and to stifle the ability for information of members of the public who have utilised those clubs and their data to be released to the wider community.”

The third-party IT company, Outabox, said it was investigating the potential breach of data by an “unauthorised third party from a sign-in system” used by its clients and had alerted authorities.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation,” it said.

“We understand this news may cause concern to our staff, clients and their customers, and we thank them for their support and patience as we work to resolve this as swiftly as possible.”

Clubs NSW said it had met affected venues and the government.

“In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links,” a spokesperson said.

-with AAP